Sun Java Solaris Communities My SDN Account Join SDN
» search tips 
Sun Developer Network
Developers Home > Identity Management > Reference > Technical Articles & Tips >
 
Article

From the Trenches at Sun Identity, Part 1: Access Management for Web Applications

 
  Print-friendly VersionPrint-friendly Version
By Marina Sum, March 17, 2008  
See also:
 
 
Part 2: OpenSSO, a Thriving Community
Part 3: Federated Access Management Simplified
 
Photo of Jamie Nelson
— Jamie Nelson, director of engineering, access and federation management, Sun Microsystems

Jamie Nelson joined Sun over a decade ago as an engineer in network and system management, followed by portal development and then identity in 2001. He became a manager in 2003 and is now director of engineering for access and federation management.

A few days ago, I interviewed Jamie for his take on security as it pertains to application development on the Web. Astute and knowledgeable, he has many illuminating insights to share.

Major Oversight in Web Development

"Typically, the number-one problem in developing Web applications is that identity is often an afterthought," Jamie observes. "Developers tend to focus on the logic, UI, and other aspects until it dawns on them, toward the end of the cycle, that they must secure the applications for, say, user logins and protect the data. Then come the important questions of what tools to use for verifying and authorizing access, what maintenance tasks are involved, whether to adopt federated identity—all afterthoughts at the eleventh hour."

What exacerbates the situation, Jamie adds, is that the security portion— authentication, authorization, and audit—is "often built into the application on a tear," meaning that many harried developers would just copy and paste community code or build it themselves—usually in a rush. The various applications in a corporation then become silos with independent identity infrastructures that form roadblocks for single sign-on (SSO).

SSO and Beyond

"Companies soon realize the inefficiency of having umpteen different ways to secure applications," Jamie continues, "and the access management market blooms." Architects and engineers start looking into SSO, that is, "getting rid of N passwords for N applications and employing common code." With Sun Java System Access Manager (henceforth, Access Manager), which is also available as open-source OpenSSO, corporations can centralize security with SSO and enable developers to focus on what they do best: programming.

Jamie believes that software development nowadays is well past SSO and moving into much more robust federated access management. As corporations design internal IT infrastructures, they mandate that their application developers incorporate security, which can then be seamlessly and smoothly folded into the Web-service environments. "Again," Jamie emphasizes, "The goal is to free up developers to do their primary jobs instead of fiddling with security."

Some applications serve internal or external customers alike and Access Manager can handle a variety of scenarios, including federated identity across enterprises. Also, since outsourcing has become a common practice, corporations, even if they are serviced by vendors, can federate applications and keep login credentials confidential within the firewall. An example is Sun's myHR portal, which is maintained by a third-party company that trusts the logins passed on by Access Manager at Sun.

"That's the current state of SSO," Jamie explains. "Doing business outside the firewall while ensuring security and privacy is what federation is all about."

The Right Tool and the Right Platform

Jamie strongly advocates access management being part of the application design. Applications that work centrally with access management are the answer, he says; otherwise, "you end up creating a load of mundane and unnecessary work for professional-service engineers and system integrators." Typically, as in health-care applications, you "retrofit or use a wedge to incorporate SSO into applications."

"Where should developers start? What tool would you recommend?" I ask.

"Secure applications with Access Manager or its open-source twin, OpenSSO," suggests Jamie. "Alternatively, develop on the Java Application Platform SDK. It's free for download, complete with Access Manager as the identity component. That way, you do the right thing for access management from the start."

As a reference for the Java Application Platform SDK approach, see the paper Securing Web Services Communications.

Jamie cautions developers to assume that they will delegate the security infrastructure to some other product. "In other words, don't ever hard-code security into your application."

"Furthermore," he adds, "as the industry advances, applications don't need to change and should automatically take advantage of the progress. To avoid high maintenance overheads, use Access Manager or OpenSSO, or develop on the Java EE platform [Java Platform, Enterprise Edition] as offered by the SDK. Life will then be a lot easier not just for yourself but for your company, too."

References
Rate and Review
Tell us what you think of the content of this page.
Excellent   Good   Fair   Poor  
Comments:
Your email address (no reply is possible without an address):
Sun Privacy Policy

Note: We are not able to respond to all submitted comments.
Marina SumMarina Sum is a staff writer for Sun Developer Network. She has been writing for Sun since 1989, mostly in the technical arena. Marina blogs on Sun's products, technologies, events, publications, and unsung heroes.
 
About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment
How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Sun Developer RSS Feeds